Citi Breach: A Warning to Banks

Industry experts agree it's too early to say how hackers managed to infiltrate Citi's online banking platform. [See Citi Breach Exposes Card Data.] But they all say the breach, which could have exposed personally identifiable information about 200,000 Citi customers, should serve as a wake-up - not just for Citi, but all banking institutions.

"The industry thought that putting Albert Gonzalez away was the end of large scale card hacking," says Mike Urban, senior director of fraud solutions for FICO, provider of fraud analytics and detection technology. "What we are seeing is a major resurgence in hacking, targeting the smallest to the largest endpoints where card or consumer data lives."

Tom Wills, a fraud analyst at Javelin Strategy & Research, says banks are losing the fraud fight because they aren't focusing on the right things. "Even though Citi - and the major banks in general - clearly takes security seriously and invests significant resources to protect its data assets, something like this can still happen," he says.

Citigroup confirmed June 9 that a breach of its Citi Account Online platform had been accessed by an "unauthorized user." Citi spokesman Sean Kevelighan says the banking corporation has implemented enhanced security procedures, "to prevent a recurrence of this type of event."

Lessons Learned

How hackers broke into Citi's online system is not the main lesson for financial institutions, Wills says. The need for more sophisticated fraud detection is. "Even when you fund your security program well, hire first-rate professionals and follow best practices - and major global banks like Citi do exactly that as a rule - you're dealing with an extremely complex problem set that has literally millions of failure points," he says. "That makes 100 percent ironclad protection an impractical goal. The best you can aim for is to cover the biggest threats with the biggest impact."

None of this excuses the breach, Wills adds. "If Citi is wise, they'll do some serious reflection, and make sure this particular failure doesn't repeat itself."

Urban says with few known details about how the breach actually happened, it's difficult say which endpoint or access point may have been compromised, such as through a third party. "[It] could be anywhere, but sounds like they hit them directly," he says. "This is yet another [incident] in what is turning into a major 'breach streak,' which will make all of us rethink what information security really means."

Lockheed, the country's largest military contractor discovered a breach of its systems on May 21. RSA is now working to replace its customers' authentication tokens and says it will provide additional factors to strengthen all of its authentication products. [See RSA to Get Its First Chief Security Officer.]

Hackers have the advantage, Javelin's Wills says. And like most breaches, the biggest worry for Citi right now should be its reputation. "The biggest damage for Citi is probably going to be reputational, because the hackers apparently didn't pull enough customer data to commit out-and-out fraud," Wills says. "But I won't be surprised to see it used in phishing and other social-engineering attacks - or aggregated with other compromised customer data to commit fraud, which is the bad guys' modus operandi these days."

Breach Raises Questions About Notification

Neal O'Farrell, founder of the Identity Theft Council, a support group for victims of identity theft, says the "slow drip" of breach information and facts is really what most hurts reputation, because it adversely affects the consumers and companies affected by the breach.

"I'm a Citi customer, have been for years. I still can't find any answers from Citi," O'Farrell says. "It's very frustrating, both as a customer and a professional, to see that banks still don't get it - the importance of being ready to talk to their customers clearly, fully and early."

By notifying the OCC, Citi met at least part of its regulatory requirements for breach notification. Banking institutions are expected to notify their primary regulators any time sensitive customer data is compromised. How or if Citi has directly notified customers is unknown. Regulatory guidelines do suggest banks notify customers within a reasonable time period after a breach. [Read the American Bankers Association's perspective on the guidelines.]

But O'Farrell says Citi's notification process was weak.

"It looks like Citi discovered the breach about a month ago. I honestly don't think they need that much time to get even a fundamental understanding of the nature of the breach, and I'm a big proponent of the earliest possible public notification," O'Farrell says. "Early public and customer notification is rarely likely to jeopardize a response or investigation."

The only time early notification could cripple a case is when the breach has not yet been contained and the intruders are unaware they've been detected, he says.

O'Farrell says banks should use the Citi breach as an example, and a reason to revamp their crisis response plans. "A good response to a breach can go a long way to reducing the long-term financial and brand cost, and help rebuild customer trust faster," he says. "And customer trust should always be the bottom line for any financial institution."

About the Author

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.